[4/6] msi: Avoid accessing memory before the left hand string in compare_substring.

Hans Leidekker hans at codeweavers.com
Fri Sep 24 10:09:04 CDT 2010


---
 dlls/msi/cond.y |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/dlls/msi/cond.y b/dlls/msi/cond.y
index 9a7a16d..03ea493 100644
--- a/dlls/msi/cond.y
+++ b/dlls/msi/cond.y
@@ -462,11 +462,21 @@ static INT compare_substring( LPCWSTR a, INT operator, LPCWSTR b )
     case COND_LHS:
     	return 0 == strncmpW( a, b, lstrlenW( b ) );
     case COND_RHS:
-    	return 0 == lstrcmpW( a + (lstrlenW( a ) - lstrlenW( b )), b );
+    {
+        int l = lstrlenW( a );
+        int r = lstrlenW( b );
+        if (r > l) return 0;
+        return 0 == lstrcmpW( a + (l - r), b );
+    }
     case COND_ILHS:
     	return 0 == strncmpiW( a, b, lstrlenW( b ) );
     case COND_IRHS:
-        return 0 == lstrcmpiW( a + (lstrlenW( a ) - lstrlenW( b )), b );
+    {
+        int l = lstrlenW( a );
+        int r = lstrlenW( b );
+        if (r > l) return 0;
+        return 0 == lstrcmpiW( a + (l - r), b );
+    }
     default:
     	ERR("invalid substring operator\n");
         return 0;
-- 
1.7.0.4







More information about the wine-patches mailing list